Description

ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.

Remediation

References

CVE-2015-8838

Related Vulnerabilities

Phusion Passenger Other Vulnerability (CVE-2014-1831)

WordPress Plugin Toolset Types-Custom Post Types, Custom Fields and Taxonomies Multiple Unspecified Vulnerabilities (2.2.2)

WordPress Plugin WP Editor Arbitrary File Upload (1.2.5.3)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-4307)

MySQL CVE-2019-2800 Vulnerability (CVE-2019-2800)

Severity

Medium

Classification

CVE-2015-8838 CWE-284 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities